OCR Audits Subject To Phishing Hack

Christine Bulgozdi
Associate Editor
Loyola University Chicago School of Law, JD 2018


Back in November, the Department of Human Services (HHS) Office of Civil Rights (OCR) released an alert stating that a phishing scam masquerading as an OCR Audit had been spotted being sent out to Health Information Portability and Accountability Act (HIPAA) covered entities and their business associates. The phishing email appears to be an official communication from HHS, with directions and a link to begin the process for the HIPAA Privacy, Security and Breach Notification Audit. With phishing hacks on the rise, every covered entity needs to take additional precautions to train staff accordingly so they are prepared to distinguish these hacks and help prevent security breaches.

The phishing email in question contains a link that sends the visitor to a non-governmental web page for the hacker’s business instead of an actual government audit page. The trick is that the URL of that non-governmental web page looks remarkably similar to HHS OCR’s actual governmental web page. The only difference: a single punctuation mark. Various employees of covered entities continuously received the email and many have fallen victim to the phishing hack because of the resemblance to an actual governmental email. In addition to the similar URL, the email also contains a forged HHS letterhead with the actual signature from the OCR director.

Both HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH) were created in response to the rising concerns of protecting personal medical information. These regulations implemented national standards for privacy and security of protected health information and implemented breach notification procedures for consumers. The HIPAA Privacy, Security and Breach Notification Audit (HIPAA Audit) originally stems from HITECH and determine whether HIPAA covered entities and their business associates are in compliance with the HIPAA Privacy, Security and Breach Notification Rules. The pilot audit program began in 2012 as part of the effort to ensure and test compliance from the HIPAA covered entities and their business associates.

The HIPAA Audit pilot program, also referred to as the Phase 1 audits, worked with about 115 covered entities to test their compliance programs. The pilot audit process mimicked audit procedures for other areas of focus. Each audit included an onsite visit of the entity, followed by an audit report with a draft shared with the entity. The onsite visits consisted of auditors observing the daily operations, as well as talking to employees throughout the organization to determine other efforts of compliance. The drafts of the audit report given to the entities contained information on how the audit went and also discussed any issues that arose. Afterwards, the covered entity could take corrective action on those specific issues and these additional compliance efforts were added to the final audit report given to OCR.

This surprising phishing hack garnered a lot of attention because of the beginning of the Phase 2 audits in 2016. The Phase 2 audits, which officially began in July 2016, will audit over 200 HIPAA covered entities and will be divided into three sets—two rounds of desk audits and one round of onsite audits. The desk audits will ask covered entities to submit documentation of their policies and procedures for HIPAA compliance. The Phase 2 audits continue the work of the pilot program and will measure the standards the compliance the entity implemented for the Privacy, Security and Breach Notification Rules. Further, the Phase 2 audits allow OCR to review best practices for compliance and also identify risks and other issues that previous enforcement failed to catch.

Phishing email hacks have been on the rise in recent years. However, the fact that a phishing hack disguised as a government entity like HHS emerged is problematic because covered entities and business associates may be more susceptible to the hack, thus leaving their operations vulnerable. Every covered entity must now take additional precautions to ensure that employees who may receive information about OCR HIPAA Audits are on the lookout and can readily identify phishing hacks. Although these emails are remarkably similar to the real HHS OCR Audit Program emails, they are still distinguishable from the HHS OCR’s actual web page and every precaution can save an entity from a security breach.


The OCR Alert can be found at: